diff --git a/ansible/roles/aodh/templates/aodh.conf.j2 b/ansible/roles/aodh/templates/aodh.conf.j2
index 860e6f60f4..10d720689c 100644
--- a/ansible/roles/aodh/templates/aodh.conf.j2
+++ b/ansible/roles/aodh/templates/aodh.conf.j2
@@ -16,6 +16,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 
 [keystone_authtoken]
+service_type = alarming
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
index 546dbc7f04..4ea9f53b46 100644
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -53,6 +53,7 @@ topic = barbican_notifications
 {% endif %}
 
 [keystone_authtoken]
+service_type = key-manager
 www_authenticate_uri = {{ keystone_internal_url }}
 project_domain_id = {{ default_project_domain_id }}
 project_name = service
diff --git a/ansible/roles/blazar/templates/blazar.conf.j2 b/ansible/roles/blazar/templates/blazar.conf.j2
index 69890191a3..a43ce0b9e5 100644
--- a/ansible/roles/blazar/templates/blazar.conf.j2
+++ b/ansible/roles/blazar/templates/blazar.conf.j2
@@ -20,6 +20,7 @@ api_v2_controllers = oshosts,leases
 plugins = virtual.instance.plugin,physical.host.plugin
 
 [keystone_authtoken]
+service_type = reservation
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}/v3
 auth_type = password
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 4f37fccb21..355b53696f 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -98,6 +98,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = volume
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
index af9e368fe8..cb04b3b814 100644
--- a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
+++ b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
@@ -17,6 +17,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = rating
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/cyborg/templates/cyborg.conf.j2 b/ansible/roles/cyborg/templates/cyborg.conf.j2
index 180c7f8ef9..22d95bc103 100644
--- a/ansible/roles/cyborg/templates/cyborg.conf.j2
+++ b/ansible/roles/cyborg/templates/cyborg.conf.j2
@@ -15,6 +15,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 
 [keystone_authtoken]
+service_type = cyborg
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
diff --git a/ansible/roles/designate/templates/designate.conf.j2 b/ansible/roles/designate/templates/designate.conf.j2
index e47c913d50..50e4dc31ca 100644
--- a/ansible/roles/designate/templates/designate.conf.j2
+++ b/ansible/roles/designate/templates/designate.conf.j2
@@ -19,6 +19,7 @@ enable_host_header = True
 enabled_extensions_admin = quotas, reports
 
 [keystone_authtoken]
+service_type = dns
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2
index 99b6365b43..12189eb508 100644
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@@ -24,6 +24,7 @@ os_user_domain_name = {{ openstack_auth.user_domain_name }}
 
 {% if service_name == 'freezer-api' %}
 [keystone_authtoken]
+service_type = backup
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2
index 371ad6d464..f49b5a8b55 100644
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -41,6 +41,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = image
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
index e2f53ad3f8..870f434f4b 100644
--- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
@@ -44,6 +44,7 @@ workers = {{ gnocchi_metricd_workers }}
 url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }}@{{ gnocchi_database_address }}/{{ gnocchi_database_name }}
 
 [keystone_authtoken]
+service_type = metric
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 project_domain_id = {{ default_project_domain_id }}
 project_name = service
diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2
index ca954cf403..4720870253 100644
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -29,6 +29,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = orchestration
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
index 6a1eebb2eb..fa88d71396 100644
--- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
@@ -37,6 +37,7 @@ endpoint_override = {{ ironic_internal_endpoint }}
 
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
+service_type = baremetal-introspection
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
index 17a062e3c5..dfc7d4c049 100644
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -47,6 +47,7 @@ max_retries = -1
 
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
+service_type = baremetal
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2
index 072ea353aa..5a7051545e 100644
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@@ -75,6 +75,7 @@ auth_type = password
 cafile = {{ openstack_cacert }}
 
 [keystone_authtoken]
+service_type = container-infra
 auth_version = v3
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}
diff --git a/ansible/roles/manila/templates/manila.conf.j2 b/ansible/roles/manila/templates/manila.conf.j2
index e5f5c359b3..22940e9110 100644
--- a/ansible/roles/manila/templates/manila.conf.j2
+++ b/ansible/roles/manila/templates/manila.conf.j2
@@ -31,6 +31,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = share
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/masakari/templates/masakari.conf.j2 b/ansible/roles/masakari/templates/masakari.conf.j2
index fe46740b76..814227332c 100644
--- a/ansible/roles/masakari/templates/masakari.conf.j2
+++ b/ansible/roles/masakari/templates/masakari.conf.j2
@@ -22,6 +22,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = instance-ha
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/mistral/templates/mistral.conf.j2 b/ansible/roles/mistral/templates/mistral.conf.j2
index 58291e5703..3f357aae00 100644
--- a/ansible/roles/mistral/templates/mistral.conf.j2
+++ b/ansible/roles/mistral/templates/mistral.conf.j2
@@ -39,6 +39,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = workflow
 www_authenticate_uri = {{ keystone_internal_url }}/v3
 auth_url = {{ keystone_internal_url }}/v3
 auth_type = password
diff --git a/ansible/roles/monasca/templates/monasca-api/api.conf.j2 b/ansible/roles/monasca/templates/monasca-api/api.conf.j2
index 14990642b6..c9bc03a412 100644
--- a/ansible/roles/monasca/templates/monasca-api/api.conf.j2
+++ b/ansible/roles/monasca/templates/monasca-api/api.conf.j2
@@ -31,6 +31,7 @@ read_only_authorized_roles = {{ monasca_read_only_authorized_roles|join(', ') }}
 delegate_authorized_roles = {{ monasca_delegate_authorized_roles|join(', ') }}
 
 [keystone_authtoken]
+service_type = logging-monitoring
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2
index 3d8f05b7b7..6bd30f20d6 100644
--- a/ansible/roles/murano/templates/murano.conf.j2
+++ b/ansible/roles/murano/templates/murano.conf.j2
@@ -21,6 +21,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = application-catalog
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2
index b952fba2cd..edc7a3e3c5 100644
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@@ -113,6 +113,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = network
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 8cf9e77852..fe50ba6888 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -110,6 +110,7 @@ memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address
 
 
 [keystone_authtoken]
+service_type = compute
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index 621dd2ee13..c548963357 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -58,6 +58,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
 [keystone_authtoken]
+service_type = load-balancer
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/placement/templates/placement.conf.j2 b/ansible/roles/placement/templates/placement.conf.j2
index e499195353..429fd157ea 100644
--- a/ansible/roles/placement/templates/placement.conf.j2
+++ b/ansible/roles/placement/templates/placement.conf.j2
@@ -25,6 +25,7 @@ memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address
 
 
 [keystone_authtoken]
+service_type = placement
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/sahara/templates/sahara.conf.j2 b/ansible/roles/sahara/templates/sahara.conf.j2
index f53c164059..6d884bb28d 100644
--- a/ansible/roles/sahara/templates/sahara.conf.j2
+++ b/ansible/roles/sahara/templates/sahara.conf.j2
@@ -16,6 +16,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 
 [keystone_authtoken]
+service_type = data-processing
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 user_domain_name = {{ default_project_domain_name }}
diff --git a/ansible/roles/senlin/templates/senlin.conf.j2 b/ansible/roles/senlin/templates/senlin.conf.j2
index 804a35ec9c..d320dd685d 100644
--- a/ansible/roles/senlin/templates/senlin.conf.j2
+++ b/ansible/roles/senlin/templates/senlin.conf.j2
@@ -42,6 +42,7 @@ workers = {{ openstack_service_workers }}
 {% endif %}
 
 [keystone_authtoken]
+service_type = clustering
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/solum/templates/solum.conf.j2 b/ansible/roles/solum/templates/solum.conf.j2
index 4ebec02f35..2023e73459 100644
--- a/ansible/roles/solum/templates/solum.conf.j2
+++ b/ansible/roles/solum/templates/solum.conf.j2
@@ -48,6 +48,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = application_deployment
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/tacker/templates/tacker.conf.j2 b/ansible/roles/tacker/templates/tacker.conf.j2
index df2fa1c2c4..54ee902a2c 100644
--- a/ansible/roles/tacker/templates/tacker.conf.j2
+++ b/ansible/roles/tacker/templates/tacker.conf.j2
@@ -32,6 +32,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = nfv-orchestration
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/trove/templates/trove.conf.j2 b/ansible/roles/trove/templates/trove.conf.j2
index f58ab43ab9..7f12ffc10f 100644
--- a/ansible/roles/trove/templates/trove.conf.j2
+++ b/ansible/roles/trove/templates/trove.conf.j2
@@ -50,6 +50,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = database
 www_authenticate_uri = {{ keystone_internal_url }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service
diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2
index 07b442afd6..04472f4a40 100644
--- a/ansible/roles/vitrage/templates/vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/vitrage.conf.j2
@@ -27,6 +27,7 @@ types = {{ vitrage_datasources|map(attribute='name')|join(',') }}
 plugins = jaccard_correlation
 
 [keystone_authtoken]
+service_type = rca
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/watcher/templates/watcher.conf.j2 b/ansible/roles/watcher/templates/watcher.conf.j2
index 6ac5b966a3..99737d5b5e 100644
--- a/ansible/roles/watcher/templates/watcher.conf.j2
+++ b/ansible/roles/watcher/templates/watcher.conf.j2
@@ -19,6 +19,7 @@ max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
 [keystone_authtoken]
+service_type = infra-optim
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/ansible/roles/zun/templates/zun.conf.j2 b/ansible/roles/zun/templates/zun.conf.j2
index 3dc4d1c8e1..55b6613d63 100644
--- a/ansible/roles/zun/templates/zun.conf.j2
+++ b/ansible/roles/zun/templates/zun.conf.j2
@@ -48,6 +48,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 # keystone_authtoken sections are used and Zun internals may use either -
 # - best keep them both in sync
 [keystone_authtoken]
+service_type = container
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
diff --git a/releasenotes/notes/fix-app-cred-access-rules-14b5dcfcd5a5669a.yaml b/releasenotes/notes/fix-app-cred-access-rules-14b5dcfcd5a5669a.yaml
new file mode 100644
index 0000000000..ea173016a8
--- /dev/null
+++ b/releasenotes/notes/fix-app-cred-access-rules-14b5dcfcd5a5669a.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Adds configuration necessary for application credential access rules to
+    properly function.
+    `LP#1965111 <https://bugs.launchpad.net/kolla-ansible/+bug/1965111>`__